CEH Module 17: Web Application Vulnerabilities

Ethical Hacking and
Countermeasures
Version 6
Module XVII
Web Application
Vulnerabilities
Module Objective
This module will familiarize you with :
• Web Application Setup

• Objectives of Web Application Hacking
• Anatomy of an Attack
• Web Application Threats
• Countermeasures
• Web Application Hacking Tools
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Web Application Setup
A client/server software application

pp that interacts
with users or other systems using HTTP
Modern applications are written in Java (or

similar languages) and run on distributed
application servers, connecting to multiple data
sources through complex business logic tiers
Web Application Setup (cont’d)
Web Application Threats
Cross site scripting

Cross-site Log tampering
SQL injection Error message interception attack
Command injection
j Obfuscation application
pp
Cookie/session poisoning Platform exploits
Parameter/form tampering DMZ protocol attacks
Buffer overflow Security management exploits
Directory traversal/forceful browsing Web services attacks
Cryptographic interception Zero day attack
Cookie snooping Network access attacks
Authentication hijacking TCP fragmentation
Cross-Site Scripting/XSS Flaws
Cross-site scripting occurs when an attacker uses a web application to send malicious
code; generally JavaScript
Stored attacks are those where the injected code is permanently stored on the target
servers in a database
Reflected attacks are those where the injected code takes another route to the victim,
such as in an email message
Disclosure of the user’s session cookie allows an attacker to hijack the user’s session and
take over the account
IIn cross-site
it scripting,
i ti end
d user fil
files are di
disclosed,
l d T Trojan
j h horse programs are iinstalled,
t ll d
the user to some other page is redirected, and presentation of the content is modified
Web servers,, application

pp servers,, and web application
pp environments are susceptible
p to
cross-site scripting
An Example of XSS
A hacker realizes that the XSECURITY website suffers from a cross-site scripting bug
The hacker sends you an e-mail that claims you have just won a vacation getaway and all you have to do is
"click here" to claim your prize
The URL for the hypertext link is www.xsecurity.com/default.asp?name=<script>evilScript()</script>
When you click this link, the website tries to be friendly by greeting you, but instead displays, “Welcome
Back !”
What happened to your name? By clicking the link in the e-mail, you have told the XSECURITY website
that your name is <script>evilScript()</script>
The web server generated HTML with this “name” embedded and sends it to your browser
Your browser correctly interprets this as script and runs the script
If this script instructs the browser to send a cookie containing your stock portfolio to the hacker's
computer, it quickly complies
After all, the instruction came from the XSECURITY website, which owns that cookie
Countermeasures
Validate all headers, cookies, query strings, form fields, and

hidden fields (i.e., all parameters) against a rigorous
specification
Ad t a stringent
Adopt t i t security
it policy
li
Filtering script output can also defeat XSS vulnerabilities by

preventing them from being transmitted to users
SQL Injection
SQL Injection uses SQL to directly manipulate database

database’ss data
An attacker
A tt k can use a vulnerable
l bl webb application
li ti tto b
bypass normall security
it measures and
d
obtain direct access to the valuable data
SQL Injection attacks can often be executed from the address bar, from within application
fields, and through queries and searches
Countermeasure
• Check the user’s input provided to database queries
• Validate
V lid and
d sanitize
i i every user variable
i bl passedd to
the database
Cookie/Session Poisoning
Cookies are used to maintain session state in the otherwise

stateless HTTP protocol
Poisoning allows an attacker to inject the malicious

content, modifyy the user's on-line experience,
p and obtain
the unauthorized information
A proxy can be
b usedd for
f rewriting
iti th
the session
i d data,
t
displaying the cookie data, and/or specifying a new user ID
or other session identifiers in the cookie
Countermeasures
Do not store plain text or weakly encrypted password in a

cookie
Implement cookie’s timeout
Cookie’s authentication credentials should be associated with

an IP address
Make logout functions available
Parameter/Form Tampering
Parameter/Form tampering takes k advantage

d off the
h hhidden
dd
fields that work as the only security measure in some
applications
Modifying this hidden field value will cause the web application
to change according to the new data incorporated
It can cause theft of services, escalation of access, and session

hijacking
Countermeasure: Field validity checking
Hidden Field at
Buffer Overflow
Buffer overflow is the corrupt execution

stack of a web application
Buffer overflow flaws in custom web

applications
li ti are lless lik
likely
l tto b
be d
detected
t t d
Almost all known web servers, application

servers, and web application
environments are susceptible to attack
(but not Java and J2EE environments
except ffor overflows
fl iin the
h JVM itself)
i lf)
Countermeasures
Validate input length in forms
Check bounds and maintain extra care when using loops to

copy data
StackGuard and StackShield for Linux are tools to defend

programs and systems against stack-smashing
Directory Traversal/Forceful
Browsing
Directory traversal/forceful browsing attack occurs

when the attacker is able to browse directories and files
outside the normal application access
Itexposes
te poses tthee directory
d ecto y st
structure
uctu e o
of tthee app
application,
cat o , aand
d
often the underlying web server and operating system
An attacker can enumerate contents, access secure or

restricted pages, and gain confidential information,
locate source code, and so on
Countermeasures
Define access rights to the protected areas of the website
Apply checks/hot fixes that prevent the exploitation of the

vulnerability such as Unicode to affect directory traversal
Web servers should be updated with security patches in a

timely manner
Cryptographic Interception
Using cryptography, a confidential message can be securely sent

b
between two parties
i
Encrypted traffic flows through network firewalls and IDS systems

and is not inspected
If an attacker is able to take advantage of a secured channel, he/she

can exploit it more efficiently than an open channel
Countermeasure
• Use of Secure Sockets Layer (SSL) and advanced private key

protection
Authentication Hijacking
Authentication prompts a user to supply the

credentials
d i l that
h allow
ll access to the
h application
li i
It can be accomplished through:
• Basic authentication
• Strong authentication methods
Web applications authenticate in varying methods
Enforcing a consistent authentication policy

between multiple and disparate applications can
prove to be a real challenge
A securityy lapse
p can lead to theft of service,
session hijacking, and user impersonation
Countermeasures
Use authentication methods that use secure channels wherever possible
Instant SSL can be configured

g easilyy to encrypt
yp all traffic between the client and
the application
U cookies
Use ki iin a secure manner where
h possible
ibl
Error Message Interception
Information in error messages is often rich with site-specific information

that can be used to:
• Determine the technologies used in the web applications

• Determine whether the attack attempt was successful
• Receive hints for attack methods to try next
Countermeasure
• Website cloaking capabilities make enterprise

web resources invisible to hackers
Attack Obfuscation
Attackers often work hard to mask and otherwise hide their attacks
to avoid detection
Most common method of attack obfuscation involves encoding

portions of the attack with Unicode, UTF-8, or URL encoding
Multiple levels of encoding can be used to further bury the attack
It is used for theft of service, account hijacking, information

disclosure, website defacement, and so on
Countermeasures:
• Thoroughly inspect all traffic
• Block or translate Unicode and UTF-8 encoding to
detect attacks
DMZ Protocol Attacks
DMZ (Demilitarized Zone) is a semi-trusted network zone that separates the

untrusted Internet from the company's trusted internal network
Most companies limit the protocols allowed to flow through their DMZ
An attacker who is able to compromise a system that allows other DMZ

protocols, has access to other DMZ and internal systems. This level of access
can lead to:
• Compromise of the web application and data
• Defacement of websites
• Access to internal systems, including databases, backups, and source code
DMZ
Countermeasures
Deploy a robust security policy
Adopt a sound auditing policy
Use signatures to detect and block well-known attacks
• Signatures must be available for all forms of attack and must

b continually
be ti ll updated
d t d
Zero-Day Attacks
Zero-day attacks take place between the time a vulnerability is discovered by a

researcher
h or attacker
tt k and d th
the ti
time th
thatt th
the vendor
d iissues a corrective
ti patch
t h
Most zero-day attacks are only available as hand-crafted exploit code, but zero-
d worms h
day have causedd rapid
id panic
i
Zero-day vulnerability is the launching point for further exploitation of the web
application
li ti and d environment
i t
Countermeasures:
• No security solution can claim that they will totally protect

against all zero-day attacks
• Enforce stringent security policies
• Deploy
D l a fi firewall
ll and
d enable
bl hheuristics
i ti (h(heuristics—common-
i ti
sense rules drawn from experience—to solve problems) scanning
Acunetix Web Scanner
Acunetix launches all the Google hacking database queries onto the crawled
content of your website,
website to find any sensitive data or exploitable targets before
a “search engine hacker” does
Source: http://www.acunetix.com
Summary
Web applications are client/server software applications that interact with users or
other systems using HTTP
Attackers may try to deface the website, steal credit card information, inject malicious
codes, exploit server side scriptings, and so on
Command injection, XSS attacks, Sql Injection, Cookie Snooping, cryptographic

Interception, and Buffer Overflow are some of the threats against web applications
Organization policies must support the countermeasures against all such types of
attacks

CEH Module 17: Web Application Vulnerabilities

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

CEH Module 17: Web Application Vulnerabilities

Diunggah oleh

Hak Cipta:

Format Tersedia

Ethical Hacking and

This module will familiarize you with :

• Web Application Setup

A client/server software application

Modern applications are written in Java (or

Cross site scripting

SQL injection Error message interception attack

Cookie/session poisoning Platform exploits

Parameter/form tampering DMZ protocol attacks

Buffer overflow Security management exploits

Directory traversal/forceful browsing Web services attacks

Cryptographic interception Zero day attack

Cookie snooping Network access attacks

Authentication hijacking TCP fragmentation

Web servers,, application

The URL for the hypertext link is www.xsecurity.com/default.asp?name=<script>evilScript()</script>

Validate all headers, cookies, query strings, form fields, and

Filtering script output can also defeat XSS vulnerabilities by

SQL Injection uses SQL to directly manipulate database

Cookies are used to maintain session state in the otherwise

Poisoning allows an attacker to inject the malicious

Do not store plain text or weakly encrypted password in a

Implement cookie’s timeout

Cookie’s authentication credentials should be associated with

Make logout functions available

Parameter/Form tampering takes k advantage

It can cause theft of services, escalation of access, and session

Countermeasure: Field validity checking

Buffer overflow is the corrupt execution

Buffer overflow flaws in custom web

Almost all known web servers, application

Validate input length in forms

Check bounds and maintain extra care when using loops to

StackGuard and StackShield for Linux are tools to defend

Directory traversal/forceful browsing attack occurs

An attacker can enumerate contents, access secure or

Define access rights to the protected areas of the website

Apply checks/hot fixes that prevent the exploitation of the

Web servers should be updated with security patches in a

Using cryptography, a confidential message can be securely sent

Encrypted traffic flows through network firewalls and IDS systems

If an attacker is able to take advantage of a secured channel, he/she

• Use of Secure Sockets Layer (SSL) and advanced private key

Authentication prompts a user to supply the

It can be accomplished through:

Web applications authenticate in varying methods

Enforcing a consistent authentication policy

Use authentication methods that use secure channels wherever possible

Instant SSL can be configured

Information in error messages is often rich with site-specific information

• Determine the technologies used in the web applications

• Website cloaking capabilities make enterprise

Most common method of attack obfuscation involves encoding

Multiple levels of encoding can be used to further bury the attack

It is used for theft of service, account hijacking, information

DMZ (Demilitarized Zone) is a semi-trusted network zone that separates the

An attacker who is able to compromise a system that allows other DMZ

Deploy a robust security policy

Adopt a sound auditing policy

Use signatures to detect and block well-known attacks

• Signatures must be available for all forms of attack and must

Zero-day attacks take place between the time a vulnerability is discovered by a

• No security solution can claim that they will totally protect

Command injection, XSS attacks, Sql Injection, Cookie Snooping, cryptographic